formbook | d153e8b542963a9c9ae3fa96421f2ec2c5779759d0a086f3545b7e9c91074476

General

Target

183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
Size

942KB
MD5

183a8b19a056c944237876bea31a697c
SHA1

c11f5484af3e4d8e34c35a7b7363078b0f23e079
SHA256

d153e8b542963a9c9ae3fa96421f2ec2c5779759d0a086f3545b7e9c91074476
SHA512

29821c783a90ffbeca765cb50e178fa772acc78b22b23490e7329b8b406cd6184e65359a24c068b3ac30936410b1a7920ed393b08ee2bb9e34fd81604eed89b6
SSDEEP

12288:GO4jeQ5jsruJH+ReJqvqfLRXwK4+HNONnvsyl9vai2K046Mnq0UnsO5lJkKzUvoc:XHBQLW10ergut8+VuRHPXWMj

Score

10^/10

formbook rf3t rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rf3t

Decoy

palmettohomeswakulla.com

sorelleapparel.com

abouttohour.com

ogrownhemp.com

themontagnard.com

zarioch.space

lty712.info

ajdstone.com

600plusgymspa.com

schmitzland.com

luhuigw.com

mysafeplacetoinsure.com

barkpark.club

investigation-science.com

sermonartnotes.net

gorgeousflippinllc.com

smarttrendshop.com

markusjungfoto.com

glyzaelbol.info

thewiseowl.art

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/2892-15-0x0000000000400000-0x000000000042F000-memory.dmp formbook
Suspicious use of SetThreadContext 1 IoCs

Processes:

183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

description pid process target process

PID 836 set thread context of 2892 836 183a8b19a056c944237876bea31a697c_JaffaCakes118.exe 183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2764 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

183a8b19a056c944237876bea31a697c_JaffaCakes118.exe183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

pid process

836 183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
2892 183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 836 183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

resource	yara_rule
behavioral1/memory/2892-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

description	pid	process	target process
PID 836 set thread context of 2892	836	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

pid	process
2764	schtasks.exe

pid	process
836	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
2892	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	836	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

description	pid	process	target process
PID 836 wrote to memory of 2764	836	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	schtasks.exe
PID 836 wrote to memory of 2764	836	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	schtasks.exe
PID 836 wrote to memory of 2764	836	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	schtasks.exe
PID 836 wrote to memory of 2764	836	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	schtasks.exe
PID 836 wrote to memory of 2892	836	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
PID 836 wrote to memory of 2892	836	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
PID 836 wrote to memory of 2892	836	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
PID 836 wrote to memory of 2892	836	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
PID 836 wrote to memory of 2892	836	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
PID 836 wrote to memory of 2892	836	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
PID 836 wrote to memory of 2892	836	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\183a8b19a056c944237876bea31a697c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKyccEisJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp932B.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Users\Admin\AppData\Local\Temp\183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp932B.tmp
Filesize
1KB

MD5
9c51f904245ec14d34097bbdfc45cade

SHA1
d44d3d6e271ea90901005422db5c97cf77fb503f

SHA256
da35a80468fe328f3f2d82dc941fc7e6120c300fb845f3a6885ddfd39684a0a3

SHA512
6ab21d29a793acadd0105d58c4b9c3ac52ef0448e0b6079e78dffaaafc4cef04537eb8822b705f27b2094600bc29c238466032cc0dc4a898f12711ae3be32a98

Download Submit
memory/836-6-0x0000000004FC0000-0x0000000005064000-memory.dmp

Filesize
656KB

Download
memory/836-1-0x0000000000A30000-0x0000000000B22000-memory.dmp

Filesize
968KB

Download
memory/836-3-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/836-4-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/836-5-0x0000000074400000-0x0000000074AEE000-memory.dmp

Filesize
6.9MB

Download
memory/836-0-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/836-7-0x0000000004550000-0x00000000045A6000-memory.dmp

Filesize
344KB

Download
memory/836-2-0x0000000074400000-0x0000000074AEE000-memory.dmp

Filesize
6.9MB

Download
memory/836-16-0x0000000074400000-0x0000000074AEE000-memory.dmp

Filesize
6.9MB

Download
memory/2892-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2892-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-17-0x0000000000B30000-0x0000000000E33000-memory.dmp

Filesize
3.0MB

Download
memory/2892-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing